To ensure the security and integrity of United States critical infrastructure by establishing an interagency task force and requiring a comprehensive report on the targeting of United States critical infrastructure by People’s Republic of China state-sponsored cyber actors, and for other purposes.
Sponsors
Legislative Progress
Passed HouseReceived; read twice and referred to the Committee on Homeland …
Passed House (inferred from eh version)
Committed to the Committee of the Whole House on the …
Mr. Ogles (for himself, Mr. Green of Tennessee, Ms. Lee …
On Motion to Suspend the Rules and Pass
Strengthening Cyber Resilience Against State-Sponsored Threats Act
Summary
What This Bill Does
This bill creates a federal task force to coordinate the government's response to Chinese state-sponsored hackers targeting American critical infrastructure—particularly the "Volt Typhoon" cyber espionage group that has embedded itself in U.S. power grids, water systems, transportation networks, and communications infrastructure. The task force, led by the Department of Homeland Security's cybersecurity agency (CISA) and the FBI, must produce detailed classified reports over five years analyzing how vulnerable America's infrastructure is to Chinese cyber attacks and what would happen in a military conflict.
Who Benefits and How
Cybersecurity contractors and defense companies benefit from likely increased government spending on threat intelligence, digital forensics, and infrastructure protection services to support the multi-year reporting requirements. Critical infrastructure operators (utilities, transportation companies, communications providers) benefit from receiving classified threat intelligence and federal support through awareness campaigns, helping them better defend against Chinese hackers without bearing the full cost of threat analysis themselves.
Who Bears the Burden and How
The Department of Homeland Security (CISA) and FBI face significant new administrative burdens: they must establish the task force within 120 days, produce six major classified reports over five years, coordinate among dozens of federal agencies, and brief six congressional committees annually. Other federal agencies designated as "Sector Risk Management Agencies" (such as the Departments of Energy, Transportation, and Treasury) must dedicate cybersecurity experts to the ongoing task force and share sensitive information about infrastructure vulnerabilities in their sectors. Taxpayers ultimately fund this multi-year intelligence coordination and reporting effort, though the bill contains no explicit appropriation.
Key Provisions
- Creates an interagency task force within 120 days, chaired by CISA and vice-chaired by FBI, requiring subject matter experts in cybersecurity and Chinese cyber tactics
- Mandates an initial classified report within 540 days (18 months), followed by annual reports for five years, assessing Chinese cyber threats to each critical infrastructure sector
- Requires classified assessments of worst-case scenarios: how Chinese hackers could disrupt U.S. military operations, destroy critical infrastructure, and cause economic chaos during a U.S.-China conflict
- Requires a public awareness campaign to educate infrastructure operators about federal cybersecurity resources available to counter Chinese threats
- Task force automatically terminates 60 days after delivering the final report and briefing, with exemptions from standard federal advisory committee rules
Evidence Chain:
This summary is derived from the structured analysis below. See "Detailed Analysis" for per-title beneficiaries/burden bearers with clause-level evidence links.
Primary Purpose
Establishes an interagency task force to detect, analyze, and respond to cybersecurity threats from PRC state-sponsored actors (Volt Typhoon) targeting U.S. critical infrastructure
Policy Domains
Legislative Strategy
"Formalize and enhance interagency coordination to counter Chinese cyber espionage and pre-positioning in critical infrastructure"
Likely Beneficiaries
- Department of Homeland Security (CISA) - receives central coordination authority
- Federal Bureau of Investigation - elevated role as vice-chair
- Cybersecurity services contractors - potential increased demand for threat analysis
- Critical infrastructure operators - receive federal support and intelligence sharing
- Intelligence community - enhanced information sharing mechanisms
Likely Burden Bearers
- DHS/CISA - must establish task force within 120 days and produce 6 annual reports over 5 years
- FBI - must dedicate subject matter experts to ongoing task force
- Sector Risk Management Agencies - must provide representatives and share information
- Attorney General - consultation and information sharing obligations
- Congressional oversight committees - receive extensive classified briefings and reports
Bill Structure & Actor Mappings
Who is "The Secretary" in each section?
- "the_secretary"
- → Secretary of Homeland Security
- "the_director_fbi"
- → Director of the Federal Bureau of Investigation
- "the_director_cisa"
- → Director of the Cybersecurity and Infrastructure Security Agency (CISA)
- "the_attorney_general"
- → Attorney General
- "heads_of_sector_agencies"
- → Heads of Sector Risk Management Agencies
Key Definitions
Terms defined in this bill
House: Homeland Security, Judiciary, Select Intelligence; Senate: Homeland Security & Governmental Affairs, Judiciary, Select Intelligence
A person, structure, facility, information, material, equipment, network, or process (physical or virtual) that enables an organization's services, functions, or capabilities
As defined in section 1016(e) of Public Law 107-56 (42 U.S.C. 5195c(e))
As defined in section 2200 of the Homeland Security Act of 2002 (6 U.S.C. 650)
As defined in section 2200 of the Homeland Security Act of 2002 (6 U.S.C. 650)
As defined in section 2200 of the Homeland Security Act of 2002 (6 U.S.C. 650)
Bidirectional sharing of timely and relevant information concerning a cybersecurity threat posed by a PRC state-sponsored cyber actor to U.S. critical infrastructure
As defined in section 3(4) of the National Security Act of 1947 (50 U.S.C. 3003(4))
Any local government authority or agency within a State having jurisdiction at county, municipal, or other local government level
A collection of assets, systems, networks, entities, or organizations that provide or enable a common function for national security, economic security, or public health/safety
As defined in section 2200 of the Homeland Security Act of 2002 (6 U.S.C. 650)
Any State of the U.S., DC, Puerto Rico, Northern Mariana Islands, U.S. Virgin Islands, Guam, American Samoa, and any other U.S. territory or possession
A combination of personnel, structures, facilities, information, materials, equipment, networks, or processes (physical or virtual) integrated for a specific purpose
When used in a geographic sense, means any State of the United States
The PRC State-sponsored cyber actor described in CISA cybersecurity advisory 'PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure' issued February 7, 2024
We use a combination of our own taxonomy and classification in addition to large language models to assess meaning and potential beneficiaries. High confidence means strong textual evidence. Always verify with the original bill text.
Learn more about our methodology